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Abstract 


Distributed approaches for conflict resolution rely on analyzing the behavior of 
each aircraft to ensure that system- wide safety properties are maintained. This 
paper presents the criteria method, which increases the quality and efficiency 
of a safety assurance analysis for distributed air traffic concepts. The criteria 
standard is shown to provide two key safety properties: safe separation when 
only one aircraft maneuvers and safe separation when both aircraft maneuver 
at the same time. This approach is complemented with strong guarantees of 
correct operation through formal verification. To show that an algorithm is 
correct, i.e., that it always meets its specified safety property, one must only 
show that the algorithm satisfies the criteria. Once this is done, then the algo- 
rithm inherits the safety properties of the criteria. An important consequence 
of this approach is that there is no requirement that both aircraft execute 
the same conflict resolution algorithm. Therefore, the criteria approach al- 
lows different avionics manufacturers or even different airlines to use different 
algorithms, each optimized according to their own proprietary concerns. 
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1 Introduction 


Two basic approaches for conflict detection and resolution are being considered 
for the NextGen Airspace: (1) a centralized concept, where a single authority 
detects conflicts and makes resolution decisions for several aircraft, and (2) a 
distributed concept, where the elements of the system make individual deci- 
sions about maintaining conflict-free trajectories. There are advantages and 
disadvantages to each approach, and any future air traffic system will likely 
have both centralized and decentralized features. If the system is primarily 
centralized and highly automated, then the safety of the system hinges on 
assuring the correctness of the software performing the separation function 
and on many other factors. Alternatively, in a distributed approach the safety 
of the system cannot just rely on examining the software that is running on 
the aircraft but must involve analyzing a distributed property between the air- 
craft. For this reason, the safety analysis of a distributed system is probably 
more complex than a similar analysis for a centralized approach. This pa- 
per presents a criteria method, which simplifies the analysis of self separation 
while expanding the possibility of diverse applications. 

This criteria method may be used for distributed airspace systems where 
aircraft execute different resolution algorithms, and it can also be used where 
each aircraft execute the same algorithm. The second approach was taken 
in the design of the Traffic Collision Avoidance System (TCAS). A diverse 
international committee met for many years and came to agreement on the 
TCAS If algorithm [8]. The first approach is attractive because a large num- 
ber of resolution algorithms have been proposed in recent years (see [4] for a 
collection of examples) and it is difficult to imagine that everyone will agree on 
mandating a single algorithm. The criteria standard allows different avionics 
manufactures and perhaps different airlines to implement different algorithms, 
which are optimized for different proprietary goals. All of these algorithms will 
interact safely, provided that each algorithm is shown to meet the criteria. In 
this concept the international community agrees on the criteria rather than on 
a single algorithm. This paper presents proven results that if two algorithms 
both meet the criteria presented in this paper, then their combined behavior 
is safe with respect to separation, i.e., the combined effect of their maneuvers 
resolves the conflict. 

This paper introduces criteria that provide strong guarantees of safe sepa- 
ration as long as the aircraft use state-based conflict resolution algorithms that 
satisfy the common criteria, even when the algorithms are different. Safe sepa- 
ration is guaranteed for all encounter geometries if only one aircraft maneuvers 
or if both aircraft maneuver to avoid the conflict. When both aircraft maneu- 
ver to avoid a conflict, we must ensure that the combination of the maneuvers 
is safe. One way to achieve this coordinated behavior is for the aircraft to 
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explicitly communicate their intentions: “I will climb, so you should descend.” 
However, we focus on the concept of implicit coordination , which means that 
when two aircraft maneuver, the combined effect resolves the conflict without 
any additional communication between them. Only ADS-B surveillance data 
that is periodically broadcast by all appropriately equipped aircraft is used 
in implicit coordination. The concept presented here will guarantee implicit 
coordination for arbitrary combinations of tactical guidance maneuvers (e.g., 
track only, ground speed only, vertical speed only). For example, one air- 
craft may select a ground-speed solution and the other aircraft a track-only 
solution, and the combined effect will still maintain separation. There are 
several other advantages that accrue from the implicit coordination approach, 
including: (1) less demand on the radio frequency spectrum, (2) the concept 
is procedurally simpler and hence less error prone, and (3) less workload on 
the pilot and controllers. 

This paper presents a framework for facilitating the verification of many 
different algorithms in a mathematically rigorous way, i.e. , via formal methods. 
The concept is built on the idea of having an intermediate verification layer, 
called the criteria layer. This is illustrated in Figure 1: The top layer (yellow) 



Figure 1. Criteria Concept 

defines mathematical correctness for both horizontal maneuvers and vertical 
maneuvers. The middle layer (light blue) contains the equations that define 
the criteria, and the bottom layer contains the conflict resolution algorithms. 
The middle layer is the key to achieving our goals. The correctness statements 
at the top level are state-based, that is, they are specified in terms of the 
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current position and velocity vectors of the two aircraft. There is no attempt 
to incorporate intent information in this formulation. 

The criteria layer consists of mathematical formulas that are shown to be 
sufficient to guarantee correctness via formal mathematical proofs. The formu- 
las are analytically defined so that many different algorithms can be checked 
against the criteria in a straight-forward way. Also, the criteria only use in- 
formation available to the local aircraft. Each algorithm is then separately 
shown to satisfy the criteria and thereby inherits the system-wide safety prop- 
erties. The criteria can also be used as a filter on any resolution algorithm 
that computes multiple solutions. Only solutions that meet the criteria are 
allowed to be executed and hence this revised, filtered algorithm will inherit 
all of the coordination properties. 

This paper proceeds first with a description of notation in Section 2. Sec- 
tion 3 presents individual criteria for different kinds of situations: horizontal 
conflict resolution, horizontal loss of separation recovery, vertical conflict res- 
olution, and vertical loss of separation recovery. Criteria are also presented 
that combine the horizontal and vertical criteria in the case of 3-dimensional 
conflict and loss of separation. Section 4 provides theorems stating that the 
criteria guarantee independence and coordination. Most resolution maneuvers 
have two complementary solutions: turn left or right, go up or down, etc. 
Section 5 describes how an algorithm should choose between these comple- 
mentary resolutions. In Section 6 there is a discussion about the issues that 
might arise within an international committee that seeks to adopt the criteria 
concept. Finally, Section 7 discusses how the criteria standard would work in 
conjunction with strategic resolution methods that rely on intent information. 

The contributions of this paper include: (1) a vision for guaranteeing the 
safety of the next generation air-traffic management system, based on the 
criteria approach, (2) the proposal of a specific set of criteria for meeting this 
vision, and (3) a summary of the mathematical theory used in the criteria. 


2 Notation 


We consider two aircraft, the ownship and the traffic aircraft, that are poten- 
tially in conflict in a 3-dimensional airspace. The conflict resolution algorithms 
discussed here only use state-based information, e.g,. initial position and veloc- 
ity and straight line trajectories, i.e., constant velocity vectors in a Euclidean 
coordinate system. 

We use the following notations: 
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So 

3D vector 

Initial position of the ownship aircraft 

V 0 

3D vector 

Initial velocity of the ownship aircraft 

Si 

3D vector 

Initial position of the traffic aircraft 

Vi 

3D vector 

Initial velocity of the traffic aircraft 


The components of each vector are scalar values, so they are represented with- 
out the bold-face font, for example s G = (s ox , s oy , s oz ). As a simplifying as- 
sumption, we regard the position and velocity vectors as accurate and without 
error. Recent work shows how measurement errors in the state information 
can be correctly handled by state-based conflict detection and resolution algo- 
rithms through the use of appropriate safety buffers [3]. Also, the assumption 
that the resolutions are executed instantaneously can be mitigated through 
the use of algorithms that filter infeasible solutions, e.g., algorithms that use 
models of turn dynamics to determine whether there is sufficient time for a 
turn to complete. 

For notational convenience, all the dot products in this paper are two- 
dimensional, || w|| denotes the norm of the 2-dimensional projection of w, i.e. , 
ll w ll = \/ w x + w yi an d w 2 denotes + Wy. 

It is mathematically convenient to use a translated coordinate system. The 
relative position s of the ownship with respect to the traffic aircraft is defined 
to be s = s Q — Sj, and the relative velocity is denoted by v = v Q — v,;. Within 
this translated coordinate system, the traffic aircraft is at the origin of the 
coordinate system and does not move. The separation requirements in the 
airspace systems are specified as a minimum horizontal separation D and a 
minimum vertical separation H (typically, D is 5 nautical miles and H is 
1000 feet). Horizontal and vertical perspectives of this coordinate system are 
illustrated in Figure 2. 

An aircraft trajectory is modeled as a particle with an initial position s, 
a constant velocity vector v, and a time parameter t. As usually done in 
state-based conflict detection and resolution, we ignore the effects of wind and 
only use ground speed in the paper. The location of the aircraft at time t is 
therefore s + tv. We will use prime notation to indicate a new velocity vector 
that is computed by a conflict resolution algorithm, e.g., v'. 


3 Criteria 

Criteria represent the key safety requirements on the resulting velocity vectors 
from an airspace separation algorithm. Formally, a criterion is a predicate on 
the set of relative resolution maneuvers. These resolution maneuvers, denoted 
v', solve a safety issue related to separation. Two kinds of separation issues 
are considered in this paper: (1) when the two aircraft are in conflict, i.e., a 
predicted loss of separation, and (2) when the two aircraft are currently in loss 
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Figure 2. Relative Horizontal and Vertical Perspectives 


of separation. If an algorithm ensures that its vectors satisfy a given criterion, 
then the algorithm correctly solves the separation issue, e.g., in the case of a 
conflict, the impending conflict is avoided, or in the case of loss of separation, 
separation is eventually recovered. The criteria are summarized in appendix B. 

3.1 Horizontal Criterion for Conflict Resolution 

The horizontal criterion for conflict resolution is defined as follows. 

Definition 3.1 (horizontal criterion). 

horizontal _criterion(s, e)(v / ) = s • v' > Re det(s, v ; ), 

where R = vs ~ g and e is a unit value ±1, which we will call a direction 
parameter. Any vector v' that satisfies this formula will resolve the conflict 
if the traffic aircraft does not maneuver. If both aircraft maneuver, then 
both aircraft rnnst select resolutions using the same e. This is illustrated in 
Figure 3. The current ownship velocity vector is shown in blue and the current 
traffic velocity vector is shown in magenta. If the conflict resolution systems 
on both aircraft produce resolution vectors anywhere in their green regions, 
the combined result will be implicitly coordinated. Similarly, if the conflict 
resolution systems on both aircraft produce resolution vectors anywhere in 
their bine regions, the combined result will be implicitly coordinated. If only 
one aircraft maneuvers, then a vector in either the green or blue region will 
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Figure 3. Visualization of Horizontal Criterion for Conflict 


suffice. The criterion can also be applied to ground speed solutions. This is 
illustrated in Figure 4. 

A few observations can be made about this criterion. First, it depends on 
v', where V = V D — Vj, which only uses data that is available locally to an 
aircraft. In particular, it does not depend upon v 7 , the resolution that will 
be computed on the traffic aircraft. This is fundamental to achieving implicit 
coordination, because otherwise an explicit exchange of these computed values 
would be necessary. Also, although figures 3 and 4 illustrate situations where 
only one of the ownship’s track angle or ground speed changes, the criterion is 
more general. It applies to velocity vectors v 7 where both the ownship’s track 
angle and ground speed change. 

3.2 Horizontal Criterion for Loss of Separation 

The horizontal criterion for loss of separation is defined as follows. 

Definition 3.2 (horizontal los criterion). 


horizontal los _criterion(s, v, T)J(v 7 ) 
s • v 7 > s • v A 

s ■ v 7 > exit_dot_rain(s, Th ), 


where 
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Figure 4. Horizontal Criterion for Ground Speed 

If the relative velocity v 7 satisfies these two equations, then the criterion is 
met. Note that the second term implies that the new dot product is positive, 
which is sufficient to ensure divergence. The second term also ensures that the 
recovery from the loss of separation is achieved within time T h . The correctness 
theorems then ensure that if either aircraft or both aircraft execute a resolution 
that meets this criterion, then the combined result will be divergence. This is 
illustrated in Figure 5. The horizontal criterion for loss of separation gives only 
one region for each aircraft to choose from, namely the green region. In this 
example the ownship has more options because of its greater ground speed. In 
Figure 6, we illustrate the impact of the second conjunction of the criterion. 
The purple region shows the reduced set of vectors that are needed to escape 
the protection zone within a bounded time. 

Once again it should be noted that the criterion only uses data that is 
available locally on an aircraft. It does not depend upon v- the resolution 
that will be computed on the traffic aircraft. Thus, an explicit exchange of 
information is not necessary to achieve safe self-separation. 

3.3 Vertical Criterion for Conflict Resolution 

The vertical criterion is more complex than the horizontal criterion because 
it is 3- dimensional. It is certainly possible to create a one-dimensional crite- 
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Figure 5. Horizontal Criterion For Loss of Separation Recovery 



Figure 6. Impact of Second Conjunction of the Criterion 
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rion that is suitable for vertical-speed-only solutions. However, such a one- 
dimensional criteria would leave out resolution maneuvers that solve conflicts 
vertically using ground-speed or track solutions. These kinds of resolutions 
are possible when the aircraft are already in a climb or descent. In the relative 
coordinate frame, these solutions fall within a 3-dimensional region of space. 

The basic idea is to define a half plane (Figure 7) such that any vector 
that intersects this plane satisfies the criterion. We will present the formulas 



Figure 7. Vertical Criterion 

that define this 3-dimensional criteron subsequently, but it is helpful to first 
examine the criterion for the special cases where only the vertical speed is 
changed. This special case is one- dimensional. 

3.3.1 Vertical Criterion For Vertical Speed Only 

There are three basic cases that must be considered: 

• Both horizontal and vertical separation exist originally (see Figure 8). 

• Only horizontal separation exists originally (see Figure 9). 

• Only vertical separation exists originally (see Figure 10). 

These regions are determined by the initial position s and one of the corners 
of the protection zone. The horizontal position of a corner is specified using 
the horizontal entrance/exit times: 

• ©_! = horizontal entrance time. 

• © + i = horizontal exit time. 
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Figure 8. Vertical Criterion Vertical Speed Only Case 1 


Altitude 



Figure 9. Vertical Criterion Vertical Speed Only Case 2 




Figure 10. Vertical Criterion Vertical Speed Only Case 3 
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and the vertical position of a corner is specified with a flag e which indicates 
top and bottom: 

• e = -1 indicates the bottom of protection zone. 

• e = +1 indicates the top of protection zone. 

Note also that the direction dir, whether an entry (dir = — 1) into the protec- 
tion zone, or an exit (dir = +1) from the protection zone, can be calculated 
as follows: 


dir = IF \s z \> H THEN e • sign(s z ) ELSE - 1 ENDIF. 
Note that the following two formulas 

|s z | > H AND dir = e • sign(.s z ) 


and 

|s z | < H AND dir = — 1 

define the allowed corner points. That is, the border of the criterion region is 
defined by a line going through these points. The function sign returns —1 if 
its argument is negative and +1 otherwise. 


3.3.2 The General Vertical Criterion Formula 

We will illustrate the concept with the case where there is horizontal separation 
and s z > H, which is shown in Figure 11. The point p can be calculated as 




Figure 11. Vertical Criterion Vertical Speed Only Case 3 


follows: 


p = (s + O+iv) WITH [z eH], 

which is (s + 0 +1 v) with the z component replaced with eH. We now construct 
a line perpendicular to p (and hence tangent to the circle) as illustrated in 
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Figure 12. Construction of Tangent Plane 

Figure 12. Next, we construct the half-plane that passes through this line and 
is directly above p z as illustrated in Figure 7. The vertical criterion states that 
if a velocity vector v' from s intersects this plane, then it is accepted. The 
plane is completely determined by the point p and logic specifying which half 
of the plane is to be used. The point p defines the vector that is the minimal 
vertical speed only solution from s. More formally, we can define the vertical 
criterion as follows. 

Definition 3.3 (vertical criterion). 

vertical_criterion?(s, v, e)(v / ) = 

( II v II = 0 AND ev' > 0 AND es 2 > H 


dir = IF |s 2 | > H THEN e • sign(s 2 ) ELSE - 1 END IF AND 
A(s, v) > 0 AND Q dir > 0 AND 
p = (s + 0 dir v) WITH [z := eH] AND 
intersectshalf _plane?(s, v', p, e)). 

The first term deals with the special case where the relative ground speed 
between the aircraft is zero, i.e., they are flying parallel to each other. The 
auxiliary function intersects_half _plane? is defined as follows: 

intersects half _plane?(s, v, p, e) = 
v-p/0 AND 

D 2 — s • p 

t = AND 

v • p 

t > 0 AND 

e(s z + tv z ) > ep z , 
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where the dot products are two-dimensional and A(s, v) = D 2 \ 2 — (s^ • v) 2 . 

This vertical criterion not only includes the vertical-speed only solutions 
shown in figures 8, 9, and 10, but also vertical resolutions that are achieved by 
modifying horizontal parameters of the aircraft, i.e. , ground speed and track 
angle. This criterion is illustrated in Figure 13. 



Figure 13. Vertical Criterion: Perspective View 


3.4 Vertical Criterion for Loss of Separation Recovery 

The vertical loss of separation criterion is only concerned with the vertical 
component (s- or v z ) of the position and velocity vectors. A more general 3- 
dimensional version can be envisioned that would allow horizontal maneuvers 
that achieve vertical separation when the ownship is currently climbing or 
descending. Whether such a generalization is desirable operationally is not 
obvious. This criterion has two components: one to ensure that the aircraft 
diverge and one to provide a maximum time to recover vertically from the 
loss of separation. The predicate vertical_los_criterion? captures this 
criterion. 

Definition 3.4 (vertical_los_criterion). 

vertical_los_criterion?(s, v, T v )(v') = 

\s g \ < H AND 

z_criterion?(s, v z ){y' z ) AND 
T v > ttez (s z ,v' z ). 
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The function ttez computes the time to exit vertically as follows: 


ttez (s z ,v z ) 


e sign [y z )H - s 2 

V z 


for non-zero v z . 

The predicate z_criterion? provides one way to guarantees that the two 
aircraft will diverge. 

z _criterion?(s, v z ){y' z ) = 
v z ^ 0 AND 
z _prop?(s 2 , v' z ) AND 
(z_prop?(s 2 , v z ) 

IF v z ± 0 THEN 
sign(u 2 ) v' z > 0 
ELSE 

break_syrametry(s) {v'z) > 0, 

ENDIF). 

where z_prop? is defined as 

z_prop?(s 2 , v z ) = s z v z > 0, 

and sign returns —1 if its argument is negative and +1 otherwise. 

The divergence criterion is conceptually simple even though the formal 
specification is somewhat lengthy. The key idea is contained in z_prop?, 
which sends an aircraft upward if it is higher and downward if it is lower than 
the other aircraft. The break_symmetry function returns a unit value, i.e. , 
±1, and is used in the situation where the original vertical speeds are equal 
(i.e., v z = 0) to overcome the symmetry. It can be any function which satisfies 
the following two properties: 

s ^ 0 ==>• break_symmetry(— s) = — break_syrametry(s), 
s z 7^ 0 break_symmetry(s) = sign(s 2 ). 

3.5 3-Dimensional Criteria 

The 3-dimensional criteria that combine the horizontal and vertical criteria for 
conflict and loss of separation are defined as follows. 
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Definition 3.5 (criterion 3D). 

criterion_3D(s, v, e h ,e v )(y') = (s 2 > D 2 AND 

horizontal _criterion(s, e/ l )(v / )) OR 
(vertical _criterion(s, v, e^)(v ; ) AND 
(s 2 < D 2 OR 

horizontal _criterion(s, e/ l )(v / — v))). 
Definition 3.6 (los criterion 3D). 

los _criterion_3D(s, v, T)(v 7 ) = horizontal _los_criterion(s, v, T)(v') OR 

verticallos _criterion(s, v, T)(v'). 

4 Correctness Theorems 

The correctness theorems for the conflict case ensure that the resolutions result 
in conflict free trajectories. The correctness theorems for the loss of separation 
case establish two key properties: 

• Divergence of the two aircraft. 

• Timeliness of the recovery, that is separation will be achieved within a 
specified amount of time. 

The theorems in this section are presented without proof. For a presenta- 
tion of the proofs, see [6]. 

4.1 Horizontal Correctness Theorems 

4.1.1 Conflict Case 

The horizontal distance between two aircraft at time t has a simple represen- 
tation in the relative frame: 

[(^oa: T ($ix T Da4)]^ T [(^oy T ^oyt) {.^iy T 

\J ( S’ x T V x t) + (s'y + Vy t) 

= ll S + V ^l|- 


where s and v are 2-dimensional relative vectors in the horizontal plane. A 
conflict is a predicted loss of separation. Thus, horizontal_conf lict can be 
defined as a loss of separation in the horizontal plane: 
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Definition 4.1 (horizontal conflict). 

horizontal_conf lict?(s, v) = 3 1 : ||s + v t\\ < D. 

This predicate is true whenever the two aircraft are in conflict. In other 
words there exists a future time t where a loss of separation will occur. 

We can now present the key correctness theorems, when one aircraft ma- 
neuvers (independence) and when both aircraft maneuver (coordination). 

Theorem 4.1 (horizontal criterion independence). If the aircraft are 
horizontally separated at s, then 

horizontal_criterion(s, e)(v) ==>- 
NOT horizontal conf lict?(s, v). 

The theorem above establishes that the horizontal criterion (Definition 3.1) 
is sufficient when only one of the aircraft maneuvers. The next theorem states 
that the horizontal criterion is also adequate when both aircraft maneuver. 
This is implicit in the fact that the argument to horizontal_conf lict? is 
v( — v(, which contains both of the new velocity vectors for the ownship and 
intruder aircraft. 

Theorem 4.2 (horizontal criterion coordination). If the aircraft are 
horizontally separated at s, then 

horizontal conf lict?(s, v 0 — v*) AND 
horizontal _criterion?(s, e)(v(, — v*) AND 
horizontal_criterion?(— s, e)(v( — v Q ) 

NOT horizontal conf lict?(s, V D — v(). 

The theorem also reveals that it is essential that the unit value e = ±1 
must be the same for both aircraft in order for there to be coordination. Note 
that the criterion for the traffic aircraft has arguments that are the negative 
of the ownship. The position of the traffic aircraft relative to the ownship is 
Sj — s 0 , which equals — s and V; — v D , which equals — v. 

4.1.2 Loss of Separation Case 

For the loss of separation recovery theorems we need to introduce two ad- 
ditional predicates, horizontal_sep_after? and horizontal_divergent?, 
which are defined as follows: 
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Definition 4.2 (horizontal sep after?). 

horizontal sep _after?(s, v, t) = 

Vt' : t' > t =>- (s + tv) 2 > D 2 . 

This predicate is true if and only if the aircraft are adequately separated for 
all times greater than t. 

Definition 4.3 (horizontal divergent?). 

horizontal_divergent?(s, v) = Vf : t > 0 =>- ||s|| < ||s + tv||. 

This predicate is true if the distance between the aircraft is strictly increasing 
for all times greater than t. 

The key horizontal loss of separation theorems are: 

Theorem 4.3 (horizontal los criterion independence). 

horizontal los _criterion?(s, v, T/ l )(v / ) 

horizontal_divergent?(s, v 7 ) AND 
horizontal sep _after?(s, v', T/J. 

Thus, if only one aircraft maneuvers and its algorithm satisfies the criterion, 
then the two aircraft will be in a divergent state, and within time T/,., they will 
no longer be in loss of separation. The next theorem covers the case where 
both aircraft maneuver. 

Theorem 4.4 (horizontal los criterion coordination). 

horizontal los _criterion?(s, v Q — v,;, Ti)(v(, — Vj) AND 
horizontal_los_criterion?(— s, v* — v c , ^(v) — v G ) 

horizontal _divergent?(s, v' 0 — v() AND 
horizontal_sep_after?(s, V Q — v(, rain(T 1 , X 2 )). 

The theorem shows us that if both aircraft’s algorithms satisfy the criterion, 
then the combined result will be implicitly coordinated. This is reflected in 
the fact that both horizontal_divergent? and horizontal_sep_after? (in 
the conclusion) have V Q — v' as their parameters (i.e., both of the aircraft’s 
resolutions). Note that the time to exit from the protection zone is the mini- 
mum of the two local times 7\ and T 2 . Thus, each local aircraft will meet its 
local timeliness goal. 

For examples of formally verified practical algorithms for recovery from 
loss of separation, the reader is referred to [2], 
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4.2 Vertical Correctness Theorems 

4.2.1 Conflict Case 

The vertical correctness theorems in the conflict case are 3-dimensional. They 
include the case when the velocity vector v' achieves vertical separation by 
only modifying the vertical speed, but also the cases when vertical separation 
is achieved by modifying the horizontal components of v'. 

We introduce a predicate conflict?, which is true whenever there is a 
future time where both vertical and horizontal separation is lost: 

Definition 4.4 (conflict?). 

conf lict?(s, v) = 3t : t > 0 AND |s x + tv z j < H AND (s + tv) 2 < D 2 . 

The key correctness theorems are: 

Theorem 4.5 (vertical criterion independence). 

vertical _criterion?(s, v, e)(v / ) =>- 
NOT conf lict?(s, v ; ). 

Theorem 4.6 (vertical criterion coordination), 
conf lict?(s, v 0 — v.j) AND 

vertical_criterion?(s, v G — v*, e)(v(, — v*) AND 
vertical _criterion?(— s, v, : — v„, — e)(v( — v D ) 

NOT conf lict?(s, V 0 — v(). 

The first theorem establishes correctness when only one aircraft maneuvers, 
and the second theorem establishes correctness when both aircraft maneuver. 

It is important to note that as long as the ownship uses the unit value e = ±1 
and the intruder uses the opposite value — e, coordination is guaranteed. We 
also note that this is different from the horizontal theorems where it is required 
the unit value e to be the same for the ownship and intruder aircraft. 

4.2.2 Loss of Separation Case 

As noted in Section 3.4, the vertical loss of separation criterion is one-dimensional. 
Therefore, we introduce predicates that define divergence and timeliness with 
respect to the vertical dimension alone. Vertical divergence is defined by 

vertical_divergent: 
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Definition 4.5 (vertical divergent). 

vertical _divergent?(s, v) = 

Vf : t > 0 =>• |s z | < |s z + t v z \. 

Definition 4.6 (vertical _sep after). 

vertical _sep _after(s, v, t) = 

| s z + tv z | > H. 

These predicates appear in the correctness theorem to ensure that there is 
divergence in the vertical dimension and that recovery will be achieved within 
a maximum time, say T v . The vertical loss of separation theorems provide 
results for both the independent and the coordinated cases: 

Theorem 4.7 (vertical los criterion independence). 

vertical_los_criterion?(s, v, T v )(V) 

vertical _divergent?(s, v r ) AND 
vertical_sep_after?(s, v ; , T v ). 

Theorem 4.8 (vertical _los criterion coordination). 

||s|| ± 0 AND 

vertical los _criterion?(s, v Q — Vj,T„)(v^ — Vj) AND 
vertical los _criterion?(— s, v,; — v G , T„)(v( — v 0 ) 

vertical_divergent?(s, v' a — v() AND 
vertical sepaf ter?(s, V 0 — v(, T v ). 

The first predicate rules out the situation where the two aircraft are exactly 
over each other (i.e., their horizontal distance apart is 0). 

4.3 3-D Correctness Theorems 

The correctness theorems for the 3-dimensional conflict and loss of separation 
criteria are stated as follows. 

Theorem 4.9 (criterion 3D independence). 

criterion_3D?(s, v, e/j, e l ,)(v / ) 

NOT conf lict?(s, v 7 ). 
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Theorem 4.10 (criterion 3D coordination). 

conf lict?(s, v Q — Vj) AND 

criterion _3D?(s, v G - Vi,e^,e„)(Vo - Vj) AND 

criterion_3D?(— s, v, - v G , e h , -e„)(v- - v 0 ) 

NOT conf lict?(s, v(, — v(). 

Theorem 4.11 (los criterion _3D independence), 
los criterion _3D?(s, v, T)(v') 

divergent?(s, v 7 ) AND 
separation _af ter?(s, v ; , T), 

where 

divergent?(s, v 7 ) = horizontal_divergent?(s, v 7 ) OR 
vertical _divergent?(s, v 7 ), 

separation _after?(s, v 7 , t) = horizontal sep _after?(s, v 7 , t) OR 

vertical _sep _af ter?(s, v', t). 

Theorem 4.12 (los criterion 3D coordination). 

los_criterion_3D?(s, v Q — Vj, Ti)(v' 0 — Vj) AND 
los_criterion?(-s, Vj - v 0 , T 2 )(v' - v G ) 

divergent?(s, w' Q — v() AND 
separation_af ter?(s, v' G — v(, min(Ti, T 2 )). 

These theorems guarantee that all combinations of horizontal and vertical 
manuevers are independently correct and that they are implicitly coordinated. 

5 Choice of Direction Parameter, e 

The criteria presented in Section 3 include a direction parameter e, which is 
a unit value ±1. This parameter captures the notion of whether the aircraft 
should turn to the left or right in the horizontal dimension, or similarly up or 
down in the vertical dimension. From the standpoint of the criteria, the choice 
is arbitrary, and either choice is safe. Since either choice is safe, we can choose 
an epsilon based on other factors, such as minimizing the size of the turn. 

The key idea is that the choice of e is just as significant a policy decision 
as the agreement on the criteria itself. 
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5.1 Horizontal Direction Parameter 

There are many schemes that could be developed for choosing the horizon- 
tal unit value e used by both aircraft involved in a pairwise conflict, but it 
is essential that if Horizontal_Direction is the function that chooses the 
horizontal e, the following property holds: 

Horizontal_Direction(s, v) = Horizontal_Direction(— s, — v). (1) 

This is sufficient to ensure that both aircraft will choose the same e for the 
horizontal case. 

One simple schema that satisfies Formula (1) is to mandate that e = 1, i.e. , 
use the green solutions only. Alternatively, we could set e = — 1 and only use 
blue solutions. The use of a simple static method for choosing the horizontal 
direction parameter, e.g., e = —1, will inevitably leave out useful coordinated 
solutions. This is illustrated in Figure 14. For this configuration of aircraft, 


No 

Resolution 



ownship 


120 

\ 

150 

180 


300 


330 


300 


120 


traffic 


Figure 14. Static e = -1 Direction Problem 

there are no blue (e = —1) ownship resolutions. Note that the traffic aircraft 
has both green and blue resolutions. The brown region is where the green and 
blue regions overlap. There are other configurations where there are no green 
solutions. 

We recommend the following method: 
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Definition 5.1 (Preferred Horizontal Direction Parameter). 


e = sign(s ± ■ v > 0). 

This non-static method will sometimes pick a green region and sometimes pick 
a blue region, as illustrated in Figure 15. The top configuration in Figure 15 



Figure 15. Our Recommended Direction Parameter 

results in a green choice while the bottom configuration results in a blue choice. 
Nevertheless, in all cases the combined result will be implicitly coordinated. 

5.2 Vertical Direction 

Any function Vertical_Direction that chooses a unit value e for the vertical 
criterion must satisfy 

Vertical_Direction(s, v) = — Vertical_Direction(— s, — v). (2) 
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This property guarantees that if the ownship chooses a unit value e = ±1, the 
intruder aircraft will choose the opposite value — e. 

A simple schema that satisfies Formula (2) is to use e = 1 for the aircraft 
that is higher, e = — 1 for the lower aircraft, and to use a breaking symmetry 
mechanism if the aircraft are at the same flight level. There are many possi- 
bilities for the symmetry breaking function and any can be used as long as the 
following property holds: 

s / 0 break_symmetry(s) = — break _syrametry(— s). 

For example, the following function satisfies the property above: 

break_syrametry(s) = IF s z > 0 OR 

(s* = 0 AND > 0) OR 

(s 2 = 0 AND = 0 AND s y > 0) 

THEN 1 
ELSE - 1 
ENDIF. 

The simple schema is not ideal when the aircraft is currently climbing or 
descending. Consider the following diagram (Figure 16), where the aircraft 
is currently descending and is only slightly higher than the other aircraft. In 



Figure 16. Vertical Criterion: Perspective View 

this case it is better to increase the speed of the descent rather than abruptly 
change directions and climb upward. Thus, we prefer the following method to 
select the vertical unit value e: 

Definition 5.2 (Preferred Vertical Direction Parameter). 

e = IF s z + 0__i v z > 0 THEN 1 

ELSEIF s* + 0_i v z < 0 THEN - 1 
ELSE break symmetry(s) 

ENDIF. 

This policy checks the z-component at the time of horizontal entry into the 
protection zone. 
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6 International Standard for State-Based Co- 
ordination 

Under the assumption that distributed self-separation is deemed to have suf- 
ficient benefit to the airspace community, an international standard would 
have to be created and adopted that defines the specifics of the criteria and 
their application. An important part of the work of this committee will be 
to develop the requirements that the separation algorithms must meet. These 
requirements must be evaluated for their safety properties in the manner of a 
detailed analysis, similar to what was presented in Section 4. The advantage 
of the criteria standard, which is advocated in this paper, is that it allows 
efficient investigation of these requirements on algorithms. The efficiency is 
a result of part of the safety analysis that is done once for all algorithms. If 
a single algorithm is mandated by the standard then, undoubtedly, multiple 
algorithm candidates will be evaluated first, so the efficiency of the criteria 
standard is an important enabling technology. On the other hand, if multiple 
algorithms are allowed, then the safety requirements are precisely the criteria, 
along with the associated choice of e (see Section 5). 

Understanding the criteria and proofs of correctness requires a certain level 
of mathematical sophistication. We have attempted to aid the mathematical 
analysis through the development of a mathematical framework for analyzing 
criteria and algorithms. We call this framework the Airborne Coordinated 
Conflict Resolution and Detection (ACCoRD) framework [9]. This framework 
has been developed with generality in mind. We want to support a wide 
class of algorithms and criteria. Achieving implicit coordination for both the 
independent and coordinated cases is non-trivial, and our criteria are by no 
means unique. Other criteria could be created, but eventually the world com- 
munity must decide on a set of criteria that will be adopted. Conceivably, 
the ACCoRD framework may be used for other criteria as well. We believe 
that our criteria are very general and powerful, but future refinements and 
improvements are possible. We have at least shown mathematically that such 
an approach is viable. 

All types of analysis rely on certain assumptions, and ACCoRD is no ex- 
ception. Several idealistic assumptions were made in these proofs: (1) input 
data contains no errors, (2) the computations were performed with infinite 
precision, i.e., mathematical real numbers, (3) the resolution maneuvers can 
be performed instantaneously, and (4) at least one aircraft must implement the 
prescribed maneuver in a timely manner and the other aircraft must either not 
change its velocity vector or do so in accordance with the critieria, and (6) only 
two aircraft are involved in a conflict at the same time. An on-going research 
effort is underway to enhance ACCoRD by relaxing all of these assumptions. 
One great advantage of the formal mathematical approach is that the proofs 


26 



of correctness can not only be checked by domain experts, but they can also 
be checked by specialized software called theorem provers. The mathematical 
proofs in ACCoRD were verified using the PVS theorem prover [7]. 


7 Implications for Strategic Algorithms 

The safety argument for a distributed implementation of self separation is typ- 
ically built around the idea that there are layers of recovery. Typical layers 
include (1) strategic conflict resolution, (2) state-based tactical conflict resolu- 
tion, and finally (3) collision avoidance [1,10]. The strategic conflict resolution 
system is designed to provide highly efficient solutions but, due to its complex- 
ity, it may fail to produce a timely solution. In this case, the system is designed 
with a backup conflict detection and resolution algorithm that is state-based. 
If this backup fails to resolve the conflict, then there is a collision avoidance 
mechanism such as TCAS II to prevent catastrophe. Each system layer con- 
tributes to the safety of the system. The strategic layer solves many conflicts 
and thus the tactical system is invoked infrequently. The tactical layer solves 
the majority of the remaining conflicts and thus the collision avoidance system 
is very infrequently invoked. The safety of the system fundamentally depends 
upon certain correctness properties of these layers, but especially upon the 
state-based backups. This is precisely where the criteria provide the needed 
guarantees. The tactical conflict resolution algorithms need only satisfy the 
conflict criteria to inherit the needed properties. The collision avoidance algo- 
rithms need only satisfy the loss of separation criteria. 

Strategic algorithms incorporate both the current position and velocity 
of the aircraft, but also include expected turns, accelerations, decelerations, 
climbs, and descents. In strategic conflict detection resolution algorithms, 
coordination is sometimes achieved using different pilot alerting times for the 
two aircraft. Using this approach, only one aircraft maneuvers at a time. The 
aircraft with the larger lookahead time is often referred to as the burdened 
aircraft. It is essential that the mechanism for choosing the burdened aircraft 
be unambiguous and well-defined for all possible configurations of aircraft. 
We can envision an approach that blends this idea with the criteria approach 
presented in this paper. While the time to loss of separation is large, only 
the burdened aircraft maneuvers. However, if the time to loss of separation is 
small, both aircraft are allowed to maneuver in accordance with the criteria. 
We would also recommend that the strategic algorithms choose a maneuver 
(for the burdened aircraft) that is consistent with the criteria. In this way a 
seamless transition to the state-based algorithms would be achieved. In this 
blended concept, the criteria serve as a filter on the allowed solutions from the 
strategic algorithms. In fact, any resolution algorithm can be made consistent 
with the criteria by using the criteria to filter resolutions. 
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There is another advantage to using the criteria to filter strategic resolution 
algorithm solutions: it provides fault tolerance. Suppose that there is some 
failure in the selection of the burdened aircraft due to data errors or some 
system failure. If both aircraft erroneously conclude that they are the burdened 
aircraft, the use of criteria will ensure that the combined result is coordinated. 

8 Conclusions 

The goal of this work was to develop a mechanism that would allow for the 
efficient safety analysis of many different separation algorithms. As a con- 
sequence of this research, we discovered a way to ensure that aircraft using 
different conflict resolution algorithms will still have a strong guarantee of 
aircraft separation. We have shown that a correct algorithm will perform a 
safe maneuver when both aircraft maneuver at the same time or when only 
one aircraft executes a maneuver. The mechanism proposed in this paper is 
the use of an intermediate layer called the criteria layer. For each criterion, 
the basic idea is to decompose the safety argument into two steps: first, the 
criterion implies correctness, and second an algorithm satisfies the criterion. 
The first step establishes that the criterion is sufficient to meet the correctness 
properties. This verification step has already been accomplished within the 
ACCoRD framework [9]. We note that if alternate formulas are adopted, the 
verification would need to be redone. However, some mathematical tools have 
been developed that could simplify this new verification [6]. The second step 
shows that a particular algorithm meets the criterion. This must be accom- 
plished for each new algorithm that is developed. We believe that this step is 
relatively easier than the first step. 

For multiple algorithms to be used safely within the distributed concept for 
self-separation, the international standard must agree on both specific formu- 
las for criteria and a particular method for choosing the direction parameters 
(e) that appear in the criteria. Some may argue that the proposed criteria 
are too complex for an international standard to address. We counter that 
argument with the observation that the criteria here are far simpler than the 
specification of Traffic Collision Avoidance System (TCAS), whose state ma- 
chine representation is over 700 pages long [8]. Furthermore, the estimated 
cost of the TCAS 11 development over a period of fifteen years was $400 mil- 
lion in 2001 dollars. This estimate includes tests, analyses, and computer 
simulations [5]. The criteria formulas presented in this paper are complex and 
a certain level of mathematical sophistication is required to understand them. 
However, separation systems are complex and safety critical by their nature. 
We conclude that it will be easier to mandate a set of criteria than attempt 
to gain international agreement for the development of a single algorithm. 

We have sought to make the criteria as general as possible, though we 



expect that improvements will continue to be made. An air transportation 
system built around a criteria standard will be far more general and flexible 
than a concept where a particular algorithm is mandated. Specifically, the 
criteria standard supports the natural evolution of the air transportation sys- 
tem as better technologies are introduced that enable better algorithms. In 
an approach where a single algorithm is mandated, changes in technologies 
require new international committees. However, in the criteria approach, it is 
only necessary to show that the new algorithm satisfies the criteria. It then 
inherits the system-wide global guarantees of coordinated resolutions. 

Additionally, the criteria may be used in other contexts. For instance, the 
criteria can be displayed on the ground control station so that the controllers 
have an indication of what the algorithms will do. In fact, this criterion 
approach is not limited to only distributed separation assurance protocols. 
It could be applied to ground-based concepts. In this way, as long as the 
controllers choose resolutions within the criteria, hand-offs between sectors, or 
even between nations, would be coordinated. 
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Appendix A 


Summary of Notation 


break_symmetry 

function used to break vertical symmetry 

conf lict?(s, v) 

true if aircraft are in conflict horizontally and ver- 
tically 

criterion_3D 

the 3-dimensional criterion for conflict resolution 

D 

diameter of protection zone around an aircraft 

A(s,v) 

discriminant of quadratic equation from s+fv 2 = 
D 2 

det(s, v) 


horizontal_divergent?(s, v) 

true if horizontal distance between two aircraft is 
increasing 

e 

±1, the direction parameter 

exit_dot_min(s, t) 

t(£> — M) 

H 

height of protection zone around an aircraft 

horizontal_cr iter ion 

the criterion for horizontal conflict resolution 

horizontal_los_cr iter ion 

the criterion for horizontal loss of separation recov- 
ery 

horizontal_conf lict?(s, v) 

true if aircraft are in conflict horizontally 

horizontal_sep_after?(s, v, t ) 

true if aircraft will be horizontally separated after 
time t 

los_criterion-3D 

the 3-dimensional criterion for loss of separation re- 
covery 

0-i 

horizontal entrance time into protection zone 

0 + i 

horizontal exit time from protection zone 

sign(.x) 

IF x > 0 THEN 1 ELSE - 1 ENDIF 

So 

initial position of the ownship aircraft 

S i 

initial position of the traffic aircraft 

vert ical_cr iter ion? 

the criterion for vertical conflict resolution 

vert ical_los_cr iter ion? 

the criterion for vertical loss of separation recovery 

vertical_sep_af ter(s, v^, v', t) 

true iff there is vertical separation after t 

vertical_divergent?(s, v) 

true if vertical distance between two aircraft is in- 
creasing 

||w|| 

two-dimensional norm of vector w 

z_prop?(s, v) 

SzVz > 0 
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Appendix B 


Summary of Criteria 


The following table provides a quick reference summary of the criteria 
presented in this paper. 



Conflict Resolution 

Loss of Separation Recovery 

horiz. 

s • v' > R e det(s, v') 

s • v' > s • v A 

s • v' > exit_dot_min(s,T) 

vert. 

A(s, v) > 0 A Qdir > 0 A 
p = (s + QdirV) WITH [2 <- eH] A 

intersects_half _plane?(s, v 7 . p, e) 

\s x \ < H A 

z_criterion?(s, v z ){v' z ) A 
T v > ttez (s z ,v' z ) 

3D 

(s 2 > D 2 A 

horizontal_criterion(s, eh) (v 7 )) V 
(vertical_criterion(s, v, e t ,)(v / ) A 
(s 2 < D 2 V 

horizontal criterion(s, e^)(v' + 

v))) 

horizontal_los_criterion(s, v, T) (v 7 ) V 
vertical_los_criterion(s, v, T)(v 7 ) 
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